Method, system and computer product for securing patient identity

ABSTRACT

A method for securing patient identity comprising accessing an electronic medical records database including patient data for a plurality of patients. Each patient in the electronic medical records database is assigned a unique patient identifier. Patient data for a first patient, including a first patient identifier, is retrieved from the electronic medical records database. The first patient is de-identified from the patient data. De-identifying includes the creation of a first encoded patient identifier responsive to the first patient identifier. The de-identifying results in de-identified first patient data and includes the replacement of the first patient identifier with the first encoded patient identifier. The de-identified first patient data is transmitted to a data warehouse system. The method further comprises identifying a second patient in response to receiving report data that includes a second encoded patient identifier from the data warehouse system. The identifying includes the creation of a second patient identifier responsive to the second encoded patient identifier.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application relates to and claims the benefit of priority asa continuation of U.S. patent application Ser. No. 12/424,904, filed onApr. 16, 2009, entitled “Method, System and Computer Product forSecuring Patient Identity,” which relates to and claims the benefit ofpriority as a continuation of U.S. patent application Ser. No.10/420,218, filed on Apr. 22, 2003, entitled “Method, System andComputer Product for Securing Patient Identity,” each of which is hereinincorporated by reference in its entirety.

BACKGROUND OF INVENTION

The present disclosure relates generally to a method for securingpatient identity and in particular, to a method for de-identifyingpatient data at an ambulatory patient care provider (PCP) site forsubmission to a data warehouse system and then re-identifying a patient,at the PCP site, from de-identified patient data received from the datawarehouse system.

Data warehousing methods have been used to aggregate, clean, stage,report and analyze patient information derived from medical claimsbilling and electronic medical records (EMR). Patient data may beextracted from multiple EMR databases located at PCP sites ingeographically dispersed locations, then transported and stored in acentrally located data warehouse. The central data warehouse may be asource of information for population-based profile reports of physicianproductivity, preventative care, disease-management statistics andresearch on clinical outcomes. Patient data is sensitive andconfidential, and therefore, specific identifying information must beremoved prior to transporting it from a PCP site to a central datawarehouse. This removal of identifying information must be performed perthe federal Health Insurance Portability and Accountability Act (HIPAA)regulations. Any data that is contained in a public database must notreveal the identity of the individual patients whose medical informationis contained in the database. Because of this requirement, anyinformation contained on a medical report or record that could aid intracing back to a particular individual must be removed from the reportor record prior to adding the data to a data warehouse for public datamining.

In order to accurately assess the impact of a particular drug ortreatment on a patient it is helpful to analyze all medical reportsrelating to the particular patient. Removing data that can be used totrace back to an individual patient can make it impossible to group andanalyze all medical reports relating to a particular patient. Inaddition, one of the aims of population analysis is to assemble anat-risk cohort population comprised of individuals who may be candidatesfor clinical intervention. However, de-identified data is not veryuseful to the patient care providers who need to know the identity oftheir own patients in order to treat them.

SUMMARY OF INVENTION

One aspect of the invention is a method for securing patient identity.The method comprises accessing an electronic medical records databaseincluding patient data for a plurality of patients. Each patient in theelectronic medical records database is assigned a unique patientidentifier. Patient data for a first patient, including a first patientidentifier, is retrieved from the electronic medical records database.The first patient is de-identified from the patient data. De-identifyingincludes the creation of a first encoded patient identifier responsiveto the first patient identifier. The de-identifying results inde-identified first patient data and includes the replacement of thefirst patient identifier with the first encoded patient identifier. Thede-identified first patient data is transmitted to a data warehousesystem. The method further comprises identifying a second patient inresponse to receiving report data that includes a second encoded patientidentifier from the data warehouse system. The identifying includes thecreation of a second patient identifier responsive to the second encodedpatient identifier.

Another aspect of the invention is a method for securing patientidentity. The method comprises accessing an electronic medical recordsdatabase including patient data for a plurality of patients. Eachpatient in the electronic medical records database is assigned a uniquepatient identifier. Patient data for a first patient, including a firstpatient identifier, is retrieved from the electronic medical recordsdatabase. The first patient is de-identified from the patient data,resulting in de-identified first patient data. The de-identifyingincludes the creation of a first encoded patient identifier responsiveto the first patient identifier. The creation of a first encoded patientidentifier includes: receiving a user entered password string; hashingthe user entered password string into a sixteen digit number; andsumming the sixteen digit number with said first patient identifier,resulting in the first encoded patient identifier. The de-identifyingfurther includes replacing the first patient identifier with the firstencoded patient identifier, and removing or transforming identifyingdata from the patient data for a first patient that may be used toidentify the first patient. The de-identified first patient data istransmitted to a data warehouse system. The method further comprisesidentifying a second patient in response to receiving report data thatincludes a second encoded patient identifier from the data warehousesystem. The identifying includes the creation of a second patientidentifier by subtracting the sixteen digit number from the secondencoded patient identifier, resulting in a second patient identifier.

Another aspect of the invention is a system for securing patientidentity. The system comprises a network, a storage device, and apatient care provider system in communication with the storage deviceand the network. The patient care provider system includes software toimplement a method. The method comprises accessing an electronic medicalrecords database including patient data for a plurality of patients.Each patient in the electronic medical records database is assigned aunique patient identifier. Patient data for a first patient, including afirst patient identifier, is retrieved from the electronic medicalrecords database. The first patient is de-identified from the patientdata. De-identifying includes the creation of a first encoded patientidentifier responsive to the first patient identifier. Thede-identifying results in de-identified first patient data and includesthe replacement of the first patient identifier with the first encodedpatient identifier. The de-identified first patient data is transmittedto a data warehouse system. The method further comprises identifying asecond patient in response to receiving report data that includes asecond encoded patient identifier from the data warehouse system. Theidentifying includes the creation of a second patient identifierresponsive to the second encoded patient identifier.

A further aspect of the invention is a computer program product forsecuring patient identity. The computer program product comprises astorage medium readable by a processing circuit and storing instructionsfor execution by the processing circuit for implementing a method. Themethod comprises accessing an electronic medical records databaseincluding patient data for a plurality of patients. Each patient in theelectronic medical records database is assigned a unique patientidentifier. Patient data for a first patient, including a first patientidentifier, is retrieved from the electronic medical records database.The first patient is de-identified from the patient data. De-identifyingincludes the creation of a first encoded patient identifier responsiveto the first patient identifier. The de-identifying results inde-identified first patient data and includes the replacement of thefirst patient identifier with the first encoded patient identifier. Thede-identified first patient data is transmitted to a data warehousesystem. The method further comprises identifying a second patient inresponse to receiving report data that includes a second encoded patientidentifier from the data warehouse system. The identifying includes thecreation of a second patient identifier responsive to the second encodedpatient identifier.

A further aspect of the invention is a computer program product forsecuring patient identity. The computer program product comprises astorage medium readable by a processing circuit and storing instructionsfor execution by the processing circuit for implementing a method. Themethod comprises accessing an electronic medical records databaseincluding patient data for a plurality of patients. Each patient in theelectronic medical records database is assigned a unique patientidentifier. Patient data for a first patient, including a first patientidentifier, is retrieved from the electronic medical records database.The first patient is de-identified from the patient data, resulting inde-identified first patient data. The de-identifying includes thecreation of a first encoded patient identifier responsive to the firstpatient identifier. The creation of a first encoded patient identifierincludes: receiving a user entered password string; hashing the userentered password string into a sixteen digit number; and summing thesixteen digit number with said first patient identifier, resulting inthe first encoded patient identifier. The de-identifying furtherincludes replacing the first patient identifier with the first encodedpatient identifier, and removing or transforming identifying data fromthe patient data for a first patient that may be used to identify thefirst patient. The de-identified first patient data is transmitted to adata warehouse system. The method further comprises identifying a secondpatient in response to receiving report data that includes a secondencoded patient identifier from the data warehouse system. Theidentifying includes the creation of a second patient identifier bysubtracting the sixteen digit number from the second encoded patientidentifier, resulting in a second patient identifier. Further aspects ofthe invention are disclosed herein.

BRIEF DESCRIPTION OF DRAWINGS

Referring to the exemplary drawings wherein like elements are numberedalike in the several Figures:

FIG. 1 is an exemplary system for securing patient identity;

FIG. 2 is a block diagram of an exemplary data warehouse systemarchitecture;

FIG. 3 is a block diagram of an exemplary process for de-identifyingpatient data during data extraction; and

FIG. 4 is a block diagram of an exemplary process for re-identifying apatient from de-identified patient data.

DETAILED DESCRIPTION

An exemplary embodiment of the present invention is a secure process forsending de-identified patient information from an ambulatory patientcare provider (PCP) site to a data warehouse system where the patientdata may be analyzed and compared with a wider range of patient data.The terms “de-identified patient information” and “de-identified patientdata” as used in this document refer to both fully de-identified data asdefined by HIPAA and limited data set data as defined by HIPAA. Alimited data set is protected health information for research, publichealth and health care operations that excludes direct identifiers(e.g., name; postal address other than city, state and zip code; socialsecurity number; medical records numbers) but in which other identifyinginformation may remain (e.g., dates of examination; documentation;diagnosis; prescription; lab test results). This is contrasted withfully de-identified data as defined by HIPAA, where all data that may beused to trace back to an individual patient is removed from the record.Information obtained through the data warehouse that pertains toindividual patients is transmitted back to the originating PCP site, viaa cohort report. Cohort reports are generated by queries that areexecuted against the data warehouse system to identify patient cohortgroups. The individual patients included in a cohort report are thenre-identified at the PCP site so that the PCPs may consider theinformation when deciding on treatment options for the individualpatients.

FIG. 1 is an exemplary system for securing patient identity. PCP systems108 located at various PCP sites are connected to a network 106. The PCPsystems 108 send patient medical data to a data warehouse located on adata warehouse system 104. The PCP systems 108 typically includeapplication software to perform data extraction along with one or morestorage device for storing the electronic medical records (EMRs)associated with patients treated at the PCP site. In addition, the PCPsystems 108 may include PCP user systems 110 to access the EMR data, toinitiate the data extraction and to enter a password string to be usedfor encrypting a patient identifier. The PCP user systems 110 may bedirectly attached to the PCP system 108 or they may access the PCPsystem 108 via the network 106. Each PCP user system 110 may beimplemented using a general-purpose computer executing a computerprogram for carrying out the processes described herein. The PCP usersystems 110 may be personal computers or host attached terminals. If thePCP user systems 110 are personal computers, the processing describedherein may be shared by a PCP user system 110 and a PCP system 108 byproviding an applet to the PCP user system 110. The storage devicelocated at the PCP system 108 may be implemented using a variety ofdevices for storing electronic information such as a file transferprotocol (FTP) server. It is understood that the storage device may beimplemented using memory contained in the PCP system 108 or it may be aseparate physical device. The storage device contains a variety ofinformation including an EMR database.

In addition, the system of FIG. 1 includes one or more data warehouseuser systems 102 through which an end-user may make a request to anapplication program on the data warehouse system 104 to accessparticular records stored in the data warehouse (e.g., to create acohort report). In an exemplary embodiment of the present invention,end-users may include PCP staff members, pharmaceutical company researchteam members and personnel from companies that make medical products.The data warehouse user systems 102 may be directly connected to thedata warehouse system 104 or they may be coupled to the data warehousesystem 104 via the network 106. Each data warehouse user system 102 maybe implemented using a general-purpose computer executing a computerprogram for carrying out the processes described herein. The datawarehouse user systems 102 may be personal computers or host attachedterminals. If the data warehouse user systems 102 are personalcomputers, the processing described herein may be shared by a datawarehouse user system 102 and the data warehouse system 104 by providingan applet to the data warehouse user system 102.

The network 106 may be any type of known network including a local areanetwork (LAN), a wide area network (WAN), an intranet, or a globalnetwork (e.g., Internet). A data warehouse user system 102 may becoupled to the data warehouse system 104 through multiple networks(e.g., intranet and Internet) so that not all data warehouse usersystems 102 are required to be coupled to the data warehouse system 104through the same network. Similarly, a PCP system 108 may be coupled tothe data mining host system 104 through multiple networks (e.g.,intranet and Internet) so that not all PCP systems 108 are required tobe coupled to the data warehouse system 104 through the same network.One or more of the data warehouse user systems 102, the PCP systems 108and the data warehouse system 104 may be connected to the network 106 ina wireless fashion and the network 106 may be a wireless network. In anexemplary embodiment, the network 106 is the Internet and each datawarehouse user system 102 executes a user interface application todirectly connect to the data warehouse system 104. In anotherembodiment, a data warehouse user system 102 may execute a web browserto contact the data warehouse system 104 through the network 106.Alternatively, a data warehouse user system 102 may be implemented usinga device programmed primarily for accessing the network 106 such asWebTV.

The data warehouse system 104 may be implemented using a serveroperating in response to a computer program stored in a storage mediumaccessible by the server. The data warehouse system 104 may operate as anetwork server (often referred to as a web server) to communicate withthe data warehouse user systems 102 and the PCP systems 108. The datawarehouse system 104 handles sending and receiving information to andfrom data warehouse user systems 102 and PCP systems 108 and can performassociated tasks. The data warehouse system 104 may also include afirewall to prevent unauthorized access to the data warehouse system 104and enforce any limitations on authorized access. For instance, anadministrator may have access to the entire system and have authority tomodify portions of the system and a PCP staff member may only haveaccess to view a subset of the data warehouse records for particularpatients. In an exemplary embodiment, the administrator has the abilityto add new users, delete users and edit user privileges. The firewallmay be implemented using conventional hardware and/or software as isknown in the art.

The data warehouse system 104 also operates as an application server.The data warehouse system 104 executes one or more application programsto provide access to the data repository located on the data warehousesystem, as well as application programs to import patient data into astaging area and then into the data warehouse. In addition, the datawarehouse system 104 may also execute one or more applications to createpatient cohort reports and to send the patient cohort reports to the PCPsystems 108. Processing may be shared by the data warehouse user system102 and the data warehouse system 104 by providing an application (e.g.,java applet) to the data warehouse user system 102. Alternatively, thedata warehouse user system 102 can include a stand-alone softwareapplication for performing a portion of the processing described herein.Similarly, processing may be shared by the PCP system 102 and the datawarehouse system 104 by providing an application to the PCP system 102and alternatively, the PCP system 102 can include a stand-alone softwareapplication for performing a portion of the processing described herein.It is understood that separate servers may be used to implement thenetwork server functions and the application server functions.Alternatively, the network server, firewall and the application servercan be implemented by a single server executing computer programs toperform the requisite functions.

The storage device located at the data warehouse system 104 may beimplemented using a variety of devices for storing electronicinformation such as a file transfer protocol (FTP) server. It isunderstood that the storage device may be implemented using memorycontained in the data warehouse system 104 or it may be a separatephysical device. The storage device contains a variety of informationincluding a data warehouse containing patient medical data from one ormore PCPs. The data warehouse system 104 may also operate as a databaseserver and coordinate access to application data including data storedon the storage device. The data warehouse may be physically stored as asingle database with access restricted based on user characteristics orit can be physically stored in a variety of databases including portionsof the database on the data warehouse user systems 102 or the datawarehouse system 104. In an exemplary embodiment, the data repository isimplemented using a relational database system and the database systemprovides different views of the data to different end-users based onend-user characteristics.

FIG. 2 is a block diagram of an exemplary data warehouse architecture.Patient data is extracted from EMR databases located in the PCP systems108. In an exemplary embodiment of the present invention, an EMRdatabase record includes data such as: patient name and address,medications, allergies, observations, diagnoses, and health insuranceinformation. The PCP systems 108 include application software forextracting patient data from the EMR database. The data is thende-identified and transported (e.g., via Hypertext Transfer Protocol(HTTPS)) over the network 106 to the data warehouse system 104. The datawarehouse system 104 includes application software to perform a dataimport function 206. The data import function 206 aggregates andcleanses de-identified patient data from multiple sites and then storesthe data into a staging area 208. Data received from multiple PCPsystems 108 is normalized, checked for validity and completeness, andeither corrected or flagged as defective. Data from multiple PCP systems108 is then combined together into a relational database. Aggregation,cleaning and staging data in the described fashion allows the data to bequeried meaningfully and efficiently, either as a single entity orspecific to each individual PCP site 108. The de-identified patient datais then staged into a data warehouse 210 where it is available forquerying.

Patient cohort reports 212 are generated by application software locatedon the data warehouse system 104 and returned to the PCP systems 108 foruse by the primary care providers in treating individual patients.Patient cohort reports 212 may be automatically generated by executing acanned query on a periodic basis. PCP staff members, pharmaceuticalcompany research team members and personnel from companies that makemedical products may each run patient cohort reports 212. In addition,patient cohort reports 212 may be created by an end-user accessing adata warehouse user system 102 to create custom reports or to initiatethe running of canned reports. Further, patient cohort reports 212 maybe automatically generated in response to the application software,located on the data warehouse system 104, determining that particularcombinations of data for a patient are stored in the data warehouse. Anexemplary patient cohort report 212 includes all patients with aparticular disease that were treated with a particular medication.Another exemplary patient cohort report 212 includes patients of aparticular age and sex who have particular test results. For example, apatient cohort report 212 may list all women with heart disease who aretaking a hormone replacement therapy drug. The patient cohort report 212would list all the patients with records in the data warehouse 210 thatfit this criteria along with a warning about the possible side-effectsand the likelihood of the side-effects occurring. In an exemplaryembodiment, each PCP site receives the entire report, in anotherembodiment, each PCP site receives the report only for patients that arebeing treated at the PCP site.

In an exemplary embodiment of the present invention, the ability tocreate patient cohort reports 212 based on querying longitudinal patientdata is supported by the ability to connect all records relating to asingle patient in the data warehouse 210. This requires a uniqueidentifier to be associated with each patient record that is transmittedto the data warehouse 210. The unique identifier must not be traceableback to an individual patient by end-users accessing the data warehouse210. However, individual PCPs may want to retain the ability tore-identify a patient based on the unique identifier so that the medicalpersonnel located at the PCP site can follow through with the patient inresponse to information included in the patient cohort reports 212. FIG.3 depicts an exemplary process for de-identifying patient data forstorage in a data warehouse 210 located at the data warehouse system 104and FIG. 4 depicts an exemplary process for re-identifying a patientfrom the de-identified patient data contained in a patient cohort report212.

FIG. 3 is a block diagram of an exemplary process for de-identifyingpatient data during data extraction for transmission to a data warehousesystem 104. The de-identification process removes information that willidentify a patient while still retaining clinically useful informationabout the patient. Patient data is extracted from the EMR database 302and identifying information is removed, resulting in de-identifiedpatient data. In an exemplary embodiment of the present invention, anEMR database 302 includes the following patient identifying demographicdata: names; geographic identifiers, including address; dates directlyrelated to an individual, including birth date, admission date,discharge date and date of death; telephone and fax numbers; electronicmail addresses; social security number; medical record number; healthplan beneficiary; account numbers; certificate or license numbers;vehicle identifiers and serial numbers including license plate numbers;device identifiers and serial numbers, web Universal Resource Locators(URLs) and internet protocol (IP) address numbers; biometricidentifiers, including finger and voice prints; full face photographicimages and comparable images; other unique identifying numbers,characteristics and codes assigned by the PCP or by the EMR system foradministrative purposes, including a patient identifier (PID) 304. TheEMR database 302 also includes information about: the patient diagnosisor problem; medications taken or prescribed; observations, diagnosticlaboratory tests and vital signs; subjective and objective findings,assessments, orders, plans, and notes documented by healthcareproviders. The EMR database 302 also includes audit information thatrecords the date, time, and identity of persons who have created, read,updated, or deleted information from the patient record. The EMRdatabase 302 record for each patient also contains a numeric key knownas the PID 304 which may be used to uniquely identify an individualpatient. The PID 304 is encoded as part of the de-identification processto create an encoded patient identifier (EPID) 308. The EPID 308 issent, along with the de-identified patient data, to the data warehousesystem 104.

The extraction process is performed by application software located onthe PCP system 108 and may be executed in the background on a periodicbasis (e.g., at 2 a.m. every night, at 2 a.m. every Saturday). In thismanner, the extraction process will be less likely to interfere withexisting software located on the PCP system 108. The extraction processmay also be initiated by a remote system (e.g., the data warehousesystem 104) and may include full or incremental back-up schemes. In anexemplary embodiment of the present invention, the following identifiersare removed or transformed in order to create de-identified data thatwould be classified under the HIPAA definition as fully de-identifieddata: name, geographic subdivisions smaller than a state includingstreet address, city, county, precinct, zip code (down to the last threedigits), dates directly related to an individual (e.g., birth date),phone and fax numbers, electronic mail addresses, health plan number,account number, certificate/license number, device identifier and serialnumbers, unified resource locator (URL), Internet protocol (IP) address,biometric identifiers, full face photograph, and other uniqueidentifying numbers, characteristics or codes.

In an alternate exemplary embodiment of the present invention, thefollowing identifiers are removed or transformed in order to createde-identified that that would be classified under the HIPAA definitionas limited data set information: direct identifiers such as name, postaladdress (other than city, state and zip code), social security numberand medical records numbers. In the limited data set informationimplementation of the present invention some identifying information mayremain such as dates of examination, documentation, diagnosis,prescription and lab test results.

A novel EPID 308 is assigned to each patient based on the PID 304associated with the patient and a password entered by the PCP. The PID304 to EPID 308 mapping is not maintained persistently. As depicted inthe exemplary embodiment shown in FIG. 3, a password string 312 issupplied by the PCP via a password encryption user interface 310 on thePCP user system 110. This password string 312 is known only to the PCPand is required in order to decode the EPID 308 into a PID 304. The userat the PCP site must have the password string 312 to obtain the PID 304and this password string 312 must be re-entered each time a patient isto be re-identified. The password encryption user interface 310 may be agraphical user interface. In an exemplary embodiment of the presentinvention, the user entered password string 312 is encoded using thetwo-fish algorithm. The two-fish algorithm, as known in the art, is asecret-key block cipher cryptography algorithm that is designed to behighly secure and highly flexible. It utilizes a single key for bothencryption and decryption and is often referred to as symmetricencryption. The encoding is performed by patient identifier encodingsoftware 306 located on the PCP system 108. The patient identifierencoding software 306 also hashes the encoded password string to producea sixteen-digit number. This sixteen-digit number is numerically addedto the PID 304 to create the EPID 308. Other methods of creating theEPID 308 from the PID 304 may be utilized with an exemplary embodimentof the present invention (e.g Rivest, Shamir and Adelman, or RSA) aslong as the EPID may only be decoded at the PCP site.

FIG. 4 is a block diagram of an exemplary process for re-identifying apatient from de-identified patient data. As described previously,population cohort reports 212 of at-risk patients are created by runningqueries against the data warehouse 210. De-identified individuals may betracked longitudinally and queried as members of anonymous populationcohorts, based on clinical selection criteria. The query result,contained in the cohort report 212, is a list of EPIDs 308. A list ofpatient EPIDs 308 in a patient cohort report 212 are received by the PCPsystem 108. The EPIDs 308 are read into the patient identifier decodingsoftware 402, located on the PCP system 108, and the original PID 304 isrecreated. The PID 304 may be used as a key to look up additionalidentifying information from the EMR database 302. Employees of the PCPmay utilize the patient-specific information from the EMR database 302to counsel the patient and to decide on treatment alternatives.

An embodiment of the present invention allows for ambulatory PCPs tosend patient data into a data warehouse containing patient data fromother ambulatory PCPs. In this manner, patient data may be analyzed andcompared to a larger population of patients. The de-identified patientdata includes an EPID 308 that may be useful in creating longitudinalreports that analyze more than one record for a particular patient. Theeffects of certain drugs and treatments on patient cohort groups can beanalyzed and may lead to improvements in the use or composition of thedrugs and treatments. In addition, an embodiment of the presentinvention allows for the PCP to receive cohort reports 212 based on datacontained in the data warehouse. These patient cohort reports 212include an EPID 308 for each patient. The EPID 308 may be decoded at thePCP site that created the EPID 308 and used to identify a particularpatient. In this manner a PCP, by considering the information containedin the cohort report, may be able to provide improved treatment to thepatient. This ability to provide useful information back to a patientlevel may also lead more PCPs to participate in sending patient data toa data warehouse. Having more data in the data warehouse may providemore useful information to third parties such as pharmaceuticalcompanies, medical device companies and physicians about the effects andrisks of particular treatments, while minimizing the risk of disclosingpatient-identifying information to third parties. This may lead toimprovements in preventative care as well as other types of medicalcare.

As described above, the embodiments of the invention may be embodied inthe form of computer-implemented processes and apparatuses forpracticing those processes. Embodiments of the invention may also beembodied in the form of computer program code containing instructionsembodied in tangible media, such as floppy diskettes, CD-ROMs, harddrives, or any other computer-readable storage medium, wherein, when thecomputer program code is loaded into and executed by a computer, thecomputer becomes an apparatus for practicing the invention. Anembodiment of the present invention can also be embodied in the form ofcomputer program code, for example, whether stored in a storage medium,loaded into and/or executed by a computer, or transmitted over sometransmission medium, such as over electrical wiring or cabling, throughfiber optics, or via electromagnetic radiation, wherein, when thecomputer program code is loaded into and executed by a computer, thecomputer becomes an apparatus for practicing the invention. Whenimplemented on a general-purpose microprocessor, the computer programcode segments configure the microprocessor to create specific logiccircuits.

While the invention has been described with reference to exemplaryembodiments, it will be understood by those skilled in the art thatvarious changes may be made and equivalents may be substituted forelements thereof without departing from the scope of the invention. Inaddition, many modifications may be made to adapt a particular situationor material to the teachings of the invention without departing from theessential scope thereof. Therefore, it is intended that the inventionnot be limited to the particular embodiment disclosed as the best modecontemplated for carrying out this invention, but that the inventionwill include all embodiments falling within the scope of the appendedclaims. Moreover, the use of the terms first, second, etc. do not denoteany order or importance, but rather the terms first, second, etc. areused to distinguish one element from another.

1. A method for securing patient identity, the method comprising:accessing patient data for a first patient from an electronic medicalrecords database, wherein said patient data for said first patientincludes a first patient identifier; de-identifying said first patientfrom said patient data for said first patient including the creation ofa first encoded patient identifier responsive to said first patientidentifier, wherein said de-identifying results in de-identified firstpatient data and includes the replacement of said first patientidentifier with said first encoded patient identifier, wherein saidcreation of said first encoded patient identifier includes encoding apassword string using a symmetric encryption resulting in said firstencoded patient identifier; transmitting said de-identified firstpatient data to a data warehouse system; connecting data relating tosaid first patient in said data warehouse; and re-identifying said firstpatient in response to receiving report data including said firstencoded patient identifier from said data warehouse system, wherein saididentifying includes the recreation of said first patient identifierresponsive to said first encoded patient identifier.
 2. The method ofclaim 1, wherein said symmetric encryption comprises a block cipherencryption.
 3. The method of claim 2, wherein said block cipherencryption comprises a two-fish algorithm.
 4. The method of claim 1wherein said de-identifying further includes removing or transformingidentifying data from said patient data for said first patient that maybe used to identify said first patient.
 5. The method of claim 1 whereinsaid recreation of said first patient identifier includes accessing anencryption key and applying said encryption key to said first encodedpatient identifier.
 6. The method of claim 1 further comprisingretrieving said patient data for said first patient from said electronicmedical records database using said first patient identifier as a keyinto said electronic medical records database.
 7. The method of claim 1,wherein said first patient is re-identified by a patient care provideras part of an at-risk cohort.
 8. A method for securing patient identity,the method comprising: accessing patient data for a first patient froman electronic medical records database, wherein said patient data forsaid first patient includes a first patient identifier; de-identifyingsaid first patient from said patient data for said first patientincluding the creation of a first encoded patient identifier responsiveto said first patient identifier, wherein said de-identifying results inde-identified first patient data and includes the replacement of saidfirst patient identifier with said first encoded patient identifier,wherein said creation of said first encoded patient identifier includesencoding a password string using a Rivest Shamir and Adelman (RSA) keyencryption resulting in said first encoded patient identifier;transmitting said de-identified first patient data to a data warehousesystem; connecting data relating to said first patient in said datawarehouse; and re-identifying said first patient in response toreceiving report data including said first encoded patient identifierfrom said data warehouse system, wherein said identifying includes therecreation of said first patient identifier responsive to said firstencoded patient identifier.
 9. The method of claim 8 wherein saidde-identifying further includes removing or transforming identifyingdata from said patient data for said first patient that may be used toidentify said first patient.
 10. The method of claim 8 wherein saidrecreation of said first patient identifier includes accessing anencryption key and applying said encryption key to said first encodedpatient identifier.
 11. The method of claim 8 further comprisingretrieving said patient data for said first patient from said electronicmedical records database using said first patient identifier as a keyinto said electronic medical records database.
 12. The method of claim8, wherein said first patient is re-identified by a patient careprovider as part of an at-risk cohort.
 13. A computer program productfor securing patient identity, the product comprising: a storage mediumreadable by a processing circuit and storing instructions for executionby the processing circuit for: accessing an electronic medical recordsdatabase including patient data for plurality of patients, wherein eachsaid patient is assigned a unique patient identifier; retrieving saidpatient data for a first patient from said electronic medical recordsdatabase, wherein said patient data for said first patient includes afirst patient identifier; de-identifying said first patient from saidpatient data for said first patient resulting in de-identified firstpatient data, wherein said de-identifying includes: creating a firstencoded patient identifier responsive to said first patient identifier,wherein said creating includes: encoding a password string using asymmetric encryption resulting in said first encoded patient identifier;replacing said first patient identifier with said first encoded patientidentifier; and removing or transforming identifying data from saidpatient data for said first patient that may be used to identify saidfirst patient; transmitting said de-identified first patient data to adata warehouse system; and re-identifying said first patient in responseto receiving report data including said first encoded patient identifierfrom said data warehouse system, wherein said identifying includesapplying a symmetric encryption to said first encoded patient identifierresulting in said first patient identifier.
 14. The computer programproduct of claim 13, wherein said symmetric encryption comprises a blockcipher encryption.
 15. The computer program product of claim 14, whereinsaid block cipher encryption comprises a two-fish algorithm.
 16. Thecomputer program product of claim 13 further comprising retrieving saidpatient data for said first patient from said electronic medical recordsdatabase using said first patient identifier as a key into saidelectronic medical records database.
 17. The computer program product ofclaim 13, wherein said first patient is re-identified by a patient careprovider as part of an at-risk cohort.
 18. A computer program productfor securing patient identity, the product comprising: a storage mediumreadable by a processing circuit and storing instructions for executionby the processing circuit for: accessing an electronic medical recordsdatabase including patient data for plurality of patients, wherein eachsaid patient is assigned a unique patient identifier; retrieving saidpatient data for a first patient from said electronic medical recordsdatabase, wherein said patient data for said first patient includes s afirst patient identifier; de-identifying said first patient from saidpatient data for said first patient resulting in de-identified firstpatient data, wherein said de-identifying includes: creating a firstencoded patient identifier responsive to said first patient identifier,wherein said creating includes: encoding a password string using aRivest Shamir and Adelman (RSA) key encryption resulting in said firstencoded patient identifier; replacing said first patient identifier withsaid first encoded patient identifier; and removing or transformingidentifying data from said patient data for said first patient that maybe used to identify said first patient; transmitting said de-identifiedfirst patient data to a data warehouse system; and re-identifying saidfirst patient in response to receiving report data including said firstencoded patient identifier from said data warehouse system, wherein saididentifying includes applying a Rivest Shamir and Adelman (RSA) keyencryption to said first encoded patient identifier resulting in saidfirst patient identifier.
 19. The computer program product of claim 18further comprising retrieving said patient data for said first patientfrom said electronic medical records database using said first patientidentifier as a key into said electronic medical records database. 20.The computer program product of claim 18, wherein said first patient isre-identified by a patient care provider as part of an at-risk cohort.21. The computer program product of claim 18, wherein said first patientis re-identified by a patient care provider as part of an at-riskcohort.